Jump to content
Welcome to our new Citrix community!

Responder HTML Pages in Admin Partition


Recommended Posts

Which firmware are you on?

And which admin permissions do you have assigned for the partition admin? (Built-in or custom; eitherway, share the regex in use)

 

First:  For a regular admin aka no partitions (default partition or no admin partitions in use), this is tricky because you are dealing with CLI and shell access.

If you create a custom admin with the read-only permissions to give most gui navigation options AND then create an additional rule for responder html imports, you will need the following additional rights:

Basic command summary (not full regex)

  • import responder htmlpage  along with rm and show rights:  These commands allow the import to be performed and creates file on file system (using next command) and creates cli pointer to file system object.
  • add system file commands (along with show and rm rights).  The problem with this command is that once you grant access to "add system file.*" commands this can be used to add (and rm/show) any command on the file system. Once we grant access to the system file command you have very little control over what else an admin can do against the file system. But command is required for the import to work.
  • Because responder imports can come from text in gui or imported from existing file or web page, then additional commands may be required.  Text import is straightforward; no additional rights needed.  Import from "local file" and "web page" requires access to sftp-server commands. Which just like "system file" commands, means potential much broader access than you expect. I couldn't fully test the web page import, it may need more rights than those identified.

So the basic rule I created also includes add/rm/set/unset of responder policy/actions to go along with page imports.

This should be carefully reviewed and evaluated for risk as system file and sftp-server commands are VERY PERMISSIVE and weaken your system security:

 

Regex example:  

(^((import|rm|show|update) responder htmlpage.*)|((add|rm|show) system file.*)|(sftp-server.*)|((add|rm|show|set|unset|bind|unbind) responder (action|policy).*))

Policy example:

 

add system cmdPolicy custom_importadmin ALLOW "(^((import|rm|show|update) responder htmlpage.*)|((add|rm|show) system file.*)|(sftp-server.*)|((add|rm|show|set|unset|bind|unbind) responder (action|policy).*))"

 

Regular Admin (not partition admin) Example:  (Using read-only account to ensure majority of gui loads; and then custom_importadmin to manage the responder policies/actions with page imports.) 
bind system user ladmin1 custom_importadmin 90
bind system user ladmin1 read-only 100
 

NOW: For a partition admin: 

Even with full admin rights the default account (nsroot) with full super user rights to all partitions OR a partition admin with full partition rights (no other restrictions), only has the option to use the URL method for page imports inside a partition (no text or by file option).

But the principal is the same, unless you want to narrow the rights.  I used the same rights above.  

  • Create a partition admin with rights on the necessary partition(s) only.
  • Then bind the partition-readonly rights and the custom responder import rights. 

Partition Example:

add system cmdPolicy custom_importadmin ALLOW "(^((import|rm|show|update) responder htmlpage.*)|((add|rm|show) system file.*)|(sftp-server.*)|((add|rm|show|set|unset|bind|unbind) responder (action|policy).*))"
# partition admin "padmin1" for partition "PartA"

bind system user padmin1 custom_importadmin 90
bind system user padmin1 partition-read-only 100
bind system user padmin1 -partitionName PartA
 

I would advise extensive testing and review to make sure none of the allowed rights are broader than you require.

Or rely on senior admins creating the imports and partition admins then using them.  

 

Finally: reviewing audit log

If you need info on reviewing audit commands:

logon as full system user default partition:

shell

cd /var/log

tail -f ns.log 

or

tail -f ns.log | grep CMD_EXEC

And review allow/deny commands for working and non-working accounts to tweak. All partitions audited commands are logged in the system wide syslog as well.

 

 

 

 

 

 

 

 

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...